Thursday Report

Generative AI

Thursday Report

David ErmerCDC, CMS, Congress, FDA, Generative AI, Medical / Rx research, Obesity, Rx coverage, Telehealth, U.S. Healthcare
Photo by Josh Mills on Unsplash

From Washington, DC

  • Tammy Flanagan, writing in Govexec, discusses, “The Social Security Fairness Act: What we know so far.  It may take time to implement this new law — here’s what you should know for now.”
    • “It will undoubtedly take time to implement this new law as it impacts about two million beneficiaries who have their earned Social Security benefits reduced because of the WEP, and close to 750,000 individuals who have had spousal and widow’s benefits payable based on the Social Security work record of their current, former or deceased spouse.  
    • “The repeal of the WEP and GPO will increase the Social Security benefit entitlements of the government worker or retiree who is receiving a pension from work not covered by Social Security. For most of you reading today’s column, this would be the CSRS employees and retirees who are married or were married to a spouse who paid Social Security taxes and the CSRS employee or retiree who earned their own Social Security retirement benefit in addition to receiving a CSRS retirement benefit.  
    • “The WEP can also affect CSRS Offset employees and retirees as well as some employees or retirees who transferred to FERS after more than five years of creditable service under CSRS.”
  • The American Hospital Association News tells us,
    • The Centers for Medicare & Medicaid Services will host a webinar Jan. 16 at 1 p.m. ET to provide an update on the No Surprises Act Good Faith Estimate requirements for uninsured and self-pay patients. Experts will discuss the recent GFE FAQs with a focus on implications for providers and facilities. REGISTER NOW” 

From the public health and medical research front,

  • Per Medical Economics,
    • Screening for physical inactivity during routine medical visits can play a pivotal role in the identification of patients at risk for chronic diseases, according to a study published in Preventing Chronic Diseasea journal of the U.S. Centers for Disease Control and Prevention (CDC). Using the Exercise Vital Sign (EVS), researchers found that patients screened for physical activity had healthier profiles and fewer comorbid conditions than those who were not screened.
  • WTW Consulting informs us,
    • More and more evidence show that GLP-1 medications are good for losing weight and reducing the amount of metabolic disease in people with obesity. But only about 52% of employers currently cover these drugs for obesity, and these employers are facing rising costs.
    • Previous research has shown that the cost of these drugs will exceed any medical cost savings, as is true for most medical interventions. For example, medical plans don’t save money by treating cancer or providing dialysis for patients with kidney failure.
    • JAMA Network Open recently published a study that showed that healthcare spending could decrease based on the type of weight loss seen with use of GLP-1 medications. However, the study demonstrates once again that even with their impressive impacts on patient weight and health, an employer-sponsored health insurance plan should not expect net medical savings from these medications.
    • The researchers looked at medical claims from over 13,000 commercially insured adults from the Medical Panel Expenditure Survey from 2001 to 2020 and found that medical spending was lower in those who weighed less. Therefore, cost effectiveness of an effective weight loss drug would be much higher in those with higher BMIs, especially in those with diabetes. 
    • However, the study didn’t evaluate people who had lost weight, but rather examined differences in costs based on BMI. Those who lose weight won’t necessarily have the same lower level of expense as those who weren’t previously obese. Even if their estimate of cost “savings” is correct, the net cost of semaglutide or tirzepatide is around $9,000 annually, which is more than the delta in costs for a person with diabetes who loses 25% of their body weight.
    • Implications for employers: 
      • An employer-sponsored health insurance plan should not expect net medical savings from these medications, even with their impressive impacts on patient weight and health.
      • The decision to cover these medications should be based on the benefit they offer, and not the hope of lower medical expenses. Lower prices would allow more people to benefit from these medications.
  • The Wall Street Journal warns us,
    • Wildfires in California aren’t all wild anymore. They often burn in urban areas, creating a toxic soup of smoke, ash and noxious substances that can be dangerous, even deadly. 
    • In Los Angeles this week, wildfires have burned buildings and roadways. Incinerating the plastics, metals and other materials that these structures are built from releases hazardous chemicals and gases into the air, doctors and public-health experts say. 
    • Wildfires which tear through urban landscapes release chemicals from human-made fuels, construction materials, household products and generate emissions which are chemically different from wildland fires, according to a 2022 report from the National Academies of Sciences, Engineering and Medicine. About 70,000 communities and 43 million homes are at risk from fires that could burn through both wild and urban landscapes, the report stated.
    • “The combination of wildfire smoke in conjunction with human elements might be even more dangerous,” said Dr. Sanjay Rajagopalan, chief of cardiovascular medicine at University Hospitals Harrington Heart & Vascular Institute in Cleveland. “When you burn plastic, for instance, or you burn rubber, you get some pretty nasty stuff.”
    • Smoke from the Los Angeles wildfires could have far-reaching effects. Depending on weather patterns and geographic conditions, smoke can travel vast distances. Tens of thousands of Los Angeles County residents have already been ordered to evacuate.
  • BioPharma Dive points out,
    • “An experimental menopause drug from Bayer succeeded in a late-stage trial in women taking drugs to treat or prevent breast cancer, the company said Thursday.
    • “Bayer said the drug, elinzanetant, significantly reduced the frequency of hot flashes and improved sleep for women with breast cancer, or who are at high risk of developing it, and whose symptoms are caused by hormone therapy. The study randomized 474 women to receive treatment or a placebo and measured the effects after four and 12 weeks.
    • “The announcement represents the fourth positive late-stage study result for elinzanetant, but the first that isn’t in menopausal women. Bayer has already submitted the drug for U.S. approval in postmenopausal women, and the Food and Drug Administration accepted its application in October. If cleared by regulators, the drug would compete with Astellas Pharma’s Veozah.”
  • Per Fierce Pharma,
    • “Trailing Johnson & Johnson’s powerhouse Darzalex by roughly five years in its development timeline has made it challenging for Sanofi’s Sarclisa—the only other CD38 antibody on the market for multiple myeloma—to compete in the indication.
    • “But with an on-body delivery system (OBDS) to deliver its subcutaneous (SC) formulation of Sarclisa, Sanofi may be finding the edge it needs.
    • “The company has taken a major step in the development of its OBDS as a phase 3 trial has met its primary co-endpoints, showing non-inferiority to intravenous (IV) Sarclisa. The company reported the trial result in a press release Thursday.”

From the U.S. healthcare business front,

  • Health Dive relates,
    • “Blue Shield of California, one of the largest plans in the state, has revamped its corporate structure and named its first-ever female CEO.
    • “Blue Shield created a parent company called Ascendiun to oversee the insurer, along with its managed Medicaid subsidiary and clinical services firm Altais, starting Jan. 1, the company announced Wednesday. Ascendiun also includes a newly created health services business called Stellarus, which aims to scale and sell Blue Shield’s pharmacy and technology offerings to other insurers.
    • “Lois Quam, who has been Blue Shield’s president since last year, will step up as chief executive of the insurer. Quam will be the first woman to serve as Blue Shield’s CEO in the organization’s 86 years of operation. Paul Markovich, Blue Shield’s CEO for over a decade, will become president of Ascendiun and will also lead Stellarus on an interim basis.”
  • and
    • “Amwell is selling its virtual psychiatric care business to fellow telehealth provider Avel eCare for about $21 million in cash, the company said Thursday. 
    • “The divestiture, which includes an additional earn-out payment for Amwell if the business meets financial targets, includes the psychiatric care segment’s technology and personnel along with Asana, a clinical network that employs and contracts with the unit’s clinicians. 
    • “Amwell CEO Ido Schoenberg said in a statement the sale strengthens the telehealth firm’s balance sheet and “fortifies our confidence” to reach positive cash flow in 2026.”
  • The American Hospital Association announced,
    • “The AHA today released its 2025-2027 Strategic Plan, approved by the AHA Board of Trustees in November. The plan is rooted in four core disciplines — advocacy and representation, thought leadership, knowledge exchange, and agents of change. It also includes nine principles that serve as the foundation of the AHA’s work and strategies to help the field make progress on its mission of advancing health in America. View the 2025-2027 Strategic Plan for more information.”
  • Modern Healthcare notes,
    • Oakland, California-based Kaiser Permanente led a $275 million Series F funding round for Innovaccer, a company that sells technology to unify patient data across health systems.
    • Innovaccer said the round will help it introduce new artificial intelligence and cloud capabilities. The company also said the new capital will help it to continue scaling a developer ecosystem that can allow health systems to implement AI tools with other third-party vendors.
  • NCQA suggests “Health Care Trends to Watch in 2025.”
  • Per Fierce Healthcare,
    • “A new report from Press Ganey highlights the close relationship between patient experience and health plan star ratings.
    • “Researchers polled 450,000 people across 200 plans and combined those survey results with its database of 5.5 million patient encounters. It found that people who gave poor scores for safety and privacy in surveys following a visit to their primary care providers also frequently awarded their health plan one star on quality and access to needed care on Medicare consumer services.
    • The report noted these are critical data for plans to consider, as they have traditionally focused on making improvements to customer service, benefit design and patient engagement. It suggests they should also be considering ways to address safety.
    • “In addition, the survey found that patients expect easy access to primary care, but their ability to reach specialists is a key differentiator. Plans that earned four or more stars connected a higher proportion of their members with specialty care.”
  • MedTech Dive points out “five medtech trends to watch in 2025. After a busy 2024, experts called out competition in soft tissue robotics, uncertainty from a Trump White House and continued success for pulsed field ablation as trends to watch this year.”

Midweek Report

David ErmerCMS, Congress, FDA, Generative AI, Medical / Rx research, NIH, U.S. Healthcare

From Washington, DC

  • FedScoop informs us,
    • “President Joe Biden on Saturday signed into law the Government Service Delivery Improvement Act, legislation that targets improving customer service interactions with the government.
    • “The bill (H.R. 5887) was first introduced by Reps. Ro Khanna, D-Calif., Byron Donalds, R-Fla., Barry Loudermilk, R-Ga., and William Timmons, R-S.C., in October 2023. Now as law, it requires the Office of Management and Budget to choose a senior official as a “Federal Government Service Delivery Lead” to coordinate government service delivery improvement within agencies. 
    • “That service delivery lead would also work with new agency-appointed senior officials, who must be named within a year of the bill’s enactment, to oversee their organizations’ delivery improvements.”
  • Per an HHS press releases,
    • “Today, U.S. Department of Health and Human Services Secretary Xavier Becerra announced he would delegate the authority vested in the HHS under the Dr. Emmanuel Bilirakis and Honorable Jennifer Wexton National Plan to End Parkinson’s Act to the National Institutes of Health, with support from the HHS Office of the Assistant Secretary for Health.”
  • and
    • “Today, the White House Initiative on Asian Americans, Native Hawaiians, and Pacific Islanders (WHIAANHPI) unveiled Rising Together, its final report to President Joe Biden. The report showcases how the Biden-Harris Administration has leveraged the full force of the federal government to make real the promise of America for Asian American, Native Hawaiian, and Pacific Islander (AA and NHPI) communities. Read the full report at wh.gov/whiaanhpireport2025 – PDF
  • and
    • “Today, the U.S. Department of Health and Human Services (HHS) announced seven winners of the KidneyX Sustainability Prize, designed to incentivize development of solutions to reduce water or power usage during dialysis care.” * * *
    • “HHS congratulates the winners of the KidneyX Sustainability Prize, who will each receive an equal share of the $7.25 million prize purse:  
      • Kuleana Technology IncAdvancing Hemodialysis Sustainability: Dialysate Regeneration via Uremic Toxin Photo-Oxidation. “Kuleana Technology’s Dialysate Regeneration Module enables hemodialysis with just 2 liters of water per treatment, making dialysis portable and accessible while saving 300 billion liters of water per year worldwide.”
      • Micro Nano Technologies IncHandheld Water-Free and Battery-Powered Renal Replacement System. “The proposed technology mimics kidney filtration, eliminating the need for water and operating on a laptop-sized battery for 8 hours, ensuring dialysis access during disasters without traditional infrastructure.”
      • Particle4XSMART-PD: Sustainable Home Dialysis Revolution. “SMART-PD is an advanced home dialysis system that produces sterile PD fluid from tap water, reclaims effluent, and employs AI-powered monitoring to enhance sustainability and patient safety.”
      • Qidni Labs IncQidni/D: A Novel Sorbent Platform for Dialysis. “The Qidni/D is a portable and nearly waterless hemodialysis system that can offer accessible and sustainable access to care anywhere.”
      • Stephen AshSorbent Regeneration of Dialysate with Improved Ammonium Capacity. “We have developed a sorbent with high capacity for NH4+ (from urea) and minimal binding of Ca++ and Mg++, which should make regeneration of dialysate simpler, smaller and more practical.”
      • University of MinnesotaDecentralized Dialysis Fluid Production: Enhancing the Sustainability of Dialysis Care. “Our innovation enables decentralized production of peritoneal dialysis fluids, reducing dialysis energy and water consumption by 48% and 66%, respectively, increasing supply chain resilience, and improving patient outcomes worldwide.”
      • Wearable Artificial Organs IncGreen dialysis on batteries using only 300ml of water. “A 2 lb. miniaturized Wearable Artificial Kidney (WAK) powered by rechargeable batteries, continuously regenerates dialysate water and delivers continuous dialysis 24 hours a day, 7 days a week.”
    • Kudos to the prize winners.
  • The American Hospital Association News tells us,
    • “The Centers for Medicare & Medicaid Services Jan. 8 announced 23.6 million consumers have signed up for a 2025 Health Insurance Marketplace plan. Of that total, approximately 3.2 million are new consumers. Open enrollment continues until Jan. 15 for the 31 states that use HealthCare.gov and most state-based marketplaces for coverage beginning Feb. 1.” 
  • Kevin Moss, writing in Federal News Network, answers the question “If someone is on Federal Health Benefits, what happens when they turn 65 and become eligible for Medicare, and what happens when their spouse turns 65 and is also eligible for Medicare?” It’s worth adding that OPM regulations grant special FSHB/PSHB open enrollment period to employees and annuitants who turn 65:
    • On becoming eligible for Medicare. An employee [or an annuitant] may change the enrollment from one plan or option to another at any time beginning on the 30th day before becoming eligible for coverage under title XVIII of the Social Security Act (Medicare). A change of enrollment based on becoming eligible for Medicare may be made only once. 5 CFR Secs 890.301(k), 890.306(p)
  • Stars and Stripes gives us an update on the “pilot program aimed at helping Department of Defense civilian employees [based in Japan] find health care from Japanese providers is up and running, according to the DOD. The program, which aims to connect the civilians with local health care providers without paying large, upfront service fees, among other advantages, began Jan. 1, according to a fact sheet emailed to employees Wednesday by the U.S. Army Civilian Human Resources Agency. The program complements existing health insurance coverage for eligible DOD employees.”

From the judicial front,

  • Bloomberg Law reports,
    • “A trade group representing consumer credit reporting companies and a Texas-based credit union association sued to block the Consumer Financial Protection Bureau’s new rule barring most medical debt from credit reports.
    • “The CFPB overstepped its authority in eliminating medical debt from credit reports and banning creditors from considering medical debt in lending decisions, the Consumer Data Industry Association and the Cornerstone Credit Union League said in a complaint filed Tuesday in the US District Court for the Eastern District of Texas.
    • “Only Congress has the power to determine whether information can or can’t be included in credit reports, the complaint said.
    • “The ban will make it harder for lenders, employers, and rental housing providers to make informed decisions about the creditworthiness of borrowers, the industry groups said. 
    • “Knowing whether a consumer has debt is an important element of underwriting, and unilaterally eliminating consideration of coded medical debt information erodes the predictive nature, and therefore the value, of consumer reports,” the complaint said.
    • “The suit came on the same day the CFPB finalized its medical debt rule.”

From the Food and Drug Administration front,

  • Fierce Pharma lets us know,
    • “The FDA will require GSK and Pfizer to include on the label of their respiratory syncytial virus (RSV) vaccines a warning about the risk of developing Guillain-Barré syndrome (GBS), a rare neurological condition that can cause paralysis.
    • “The ruling will affect GSK’s Arexvy and Pfizer’s Abrysvo, both of which were approved by the agency in May of 2023 for adults 60 years or older and realized booming sales in their first year on the market.
    • “Seven months ago, however, the sales potential for both shots declined significantly when the Centers for Disease Control and Prevention (CDC) recommended that they only be used by adults aged 75 and older and those 60 and older who have a high risk of severe disease due to underlying medical conditions.
    • “In narrowing the population with its revised recommendation, the CDC cited the potential link between the vaccines and GBS.
    • “On Tuesday, the FDA explained that its new guidelines come after the agency conducted a post marketing observational study and evaluated the results of clinical trials and reports to its Vaccine Adverse Event Reporting System (VAERS).”
  • Per Healthcare Dive,
    • “The Food and Drug Administration’s device center clarified how manufacturers should approach artificial intelligence in a draft guidance issued on Monday.
    • “The document outlines recommendations for design, development and maintenance to ensure AI-enabled devices are safe and effective. In particular, the guidance outlines how device makers should address transparency and bias and when post market monitoring is needed. 
    • “Troy Tazbaz, director of the FDA’s Digital Health Center of Excellence, said the agency has authorized more than 1,000 AI-enabled devices to date. 
    • “As we continue to see exciting developments in this field, it’s important to recognize that there are specific considerations unique to AI-enabled devices,” Tazbaz said in a statement.”
  • Per MedTech Dive,
    • “Johnson & Johnson said Wednesday it paused all U.S. Varipulse caseswhile the company investigates the cause of four reported neurovascular events.
    • “J&J said the cases were part of an external evaluation in the U.S. The pause was initiated on Jan. 5. J&J completed more than 130 cases across 14 sites as of Jan. 3.
    • “An external evaluation is a limited rollout intended to collect physician feedback on a new technology before a full release, a J&J spokesperson said in an email to MedTech Dive.
    • “Because the evaluation used a unique platform configuration, the pause does not affect the rollout of Varipulse outside of the U.S., where more than 3,000 commercial cases have been completed, J&J said.
    • “The pause of U.S. cases comes two months after J&J received Food and Drug Administration approval for Varipulse, becoming the third device company to offer a PFA system in the U.S.”

From the public health and medical research front,

  • The National Cancer Institute released its Cancer Information Highlights concerning “Targeted Therapy for Head and Neck Cancer & CAR T-Cell Therapy for Brain Cancer.”
  • MedPage Today informs us,
    • A study of older adults showed that 6% had depression, with higher prevalences in certain groups, including women, those who were unmarried, and those with chronic medical conditions. (Journal of the American Geriatrics Society)
    • A single 25-mg dose of synthetic psilocybin significantly improved depressive symptoms by week 3 among participants with severe treatment resistance in a small single-arm open-label trial. (American Journal of Psychiatry)
    • Older adults with major depressive disorder displayed riskier driving compared with those without depression, according to a prospective longitudinal cohort study. (JAMA Network Open).
  • MedPage Today adds, “Two types of Wicklow Gold cheddar cheese sold in five states were recalled due to potential contamination with Listeria monocytogenes, Abbey Specialty Foods said [last Friday].”

From the U.S. healthcare business front,

  • Healthcare Dive expects that “Health insurers will step off the roller coaster in 2025. After a turbulent year, things should calm for payers with the advent of a business-friendly Trump administration — though challenges will persist.”
  • MedCity News discusses
    • How Can Employers Manage Rising Healthcare Costs in 2025? Multiple reports indicate that employers can expect rising healthcare costs in 2025. To address these costs, employers are holding their vendor partners accountable and evaluating their health plan and PBM partners.
  • and
    • “Biopharma in 2025: Outlook for Obesity Meds, Drug Prices, Regulation & More. Metabolic medicines dominated life sciences headlines in 2024, a trend expected to continue into the new year. Other things to look for include more widespread adoption of artificial intelligence technologies and the IPO market’s return to normal levels.”
  • STAT News reports
    • “Next week brings the return of the J.P. Morgan Healthcare Conference, and with it another fabled opportunity for companies in the industry to court possible mergers, acquisitions, and licensing deals. This year, there will be even greater pressure to make a good match, as the pharmaceutical industry, which drives more than $1 trillion in economic activity and thousands of jobs, faces one of the largest patent cliffs in recent history. 
    • “Between now and 2033, the patents on dozens of brand-name medications will expire, allowing generic drugmakers to begin selling cheaper versions. Drug companies stand to lose more than $400 billion in revenue as patents expire for Keytruda, Eliquis, Jardiance, Opdivo, and other blockbuster therapies. (By comparison, the last major patent cliff that hit the industry, in 2011, jeopardized around $250 billion in drug revenue.) 
    • “One of the few tried-and-tested methods for navigating a patent cliff is to acquire startups and new drugs — and lots of them. As a result, many experts anticipate pharma ramping up M&A activity in 2025, starting at the J.P. Morgan conference. 
    • “We always have a handful of deals announced around JPM. But the real work is the meetings that happen at JPM, that start the discussions.… I think people need to buckle up, because it’s already twice as frothy and could get even more,” said Charles Ruck, an attorney at Latham Watkins who specializes in M&A.”
  • Per Fierce Healthcare,
    • “Two-thirds of insured Americans say they would trust a health insurer’s artificial intelligence copilot to accurately inform them about a health plan’s benefits, a survey conducted by virtual care navigation platform Pager Health and market research firm The Harris Poll reveals.
    • “Of the respondents, 66% believe AI can correctly personalize digital healthcare with the goals and needs of the member. Even more respondents think AI can find doctors accepting new members and schedule appointments.
    • “The survey, shared exclusively with Fierce Healthcare, provide insights into how members want insurers to offer a better customer experience, sometimes through AI. However, health plans do not fully capitalize on this opportunity.
    • “Only 41% of people say they receive personalized messages, while 17% don’t receive health plan recommendations at all. About one-third of respondents say an insurer’s wellness programs would be more enticing if they received progress alerts, biometric information or claims data.
    • “Only health plans that fully leverage the power of AI to analyze the wealth of health data available will be able to meet this demand and, in the process, boost member engagement and satisfaction,” said Rita Sharma, chief product officer at Pager Health, in a news release.”
  • The Wall Street Journal reports,
    • Novo Nordisk expanded a deal with Valo Health, a U.S. company, to discover and develop treatments for obesity, type 2 diabetes and cardiovascular disease using human data and artificial intelligence.
    • “The deal extends an agreement signed in 2023 and will see Valo become eligible for increased payments and funding.
    • “Under the original deal, the companies agreed to develop up to 11 drug programs, primarily focused on cardiovascular disease, with Valo eligible to receive up to $2.7 billion in milestone payments, plus research and development funding and potential royalty payments.
    • “The new agreement set out Wednesday expands the scope to put a stronger focus on obesity and type 2 diabetes and includes near-term payments to Valo of up to $190 million.
    • “A further $4.6 billion in potential milestone payments will be made for up to nine new drug programs and Valo will also be eligible for more research and development funding and potential royalty payments.
    • “The companies will continue to use Valo’s drug discovery and development platform that uses patient data and AI to generate new insights and translate them into potential therapeutics.”
  • Per Healthcare Dive,
    • Transcarent, a healthcare platform for self-insured employers, will acquire benefits navigator Accolade for about $621 million, the companies announced Wednesday. 
    • “The deal will combine Transcarent’s offerings — including an artificial intelligence-backed information and navigation service, health benefits guidance and virtual care — with Accolade’s services, like providing virtual primary care and specialist consultations, as well as patient advocates and care navigation. 
    • “The acquisition will net Accolade stockholders $7.03 per share in cash, an approximately 110% premium over the company’s closing stock price on Tuesday. Transcarent’s CEO, noted entrepreneur and investor Glen Tullman, will head up the combined organization, according to a spokesperson.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the retrospection front,

  • Bleeping Computer reflects on the fourteen “biggest cybersecurity and cyberattack stories of 2024.
  • Dark Reading queries “What Security Lessons Did We Learn in 2024?”

From the cybersecurity policy and law enforcement front.

  • Beckers Hospital Review highlights
    • “six things the proposed changes to HIPAA would require of [HIPAA covered entities and business associates:
      • 1. “Encrypt electronic protected health information “with limited exceptions.”
      • 2. “Implement multifactor authentication “with limited exceptions.”
      • 3. “Deploy antimalware software.
      • 4. “Establish written procedures to restore EHR systems and data within 72 hours of a cyberattack.
      • 5. “Notify certain regulators within 24 hours when an employee’s electronic access to EHR data or systems is changed or terminated.
      • 6. “Develop and revise an inventory and network map that illustrates the movement of EHR data through the organization’s systems at least once every 12 months.”
  • Dark Reading summarizes themes of the proposed HIPAA Security Rule amendments (some of which are overkill in the FEHBlog’s opinion) and notes
    • “The changes to the security rule will cost approximately $9 billion in the first year and $6 billion for years two to five, said Anne Neuberger, deputy national security adviser for cyber and emerging technology, during a Dec. 27 press briefing.
    • “The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences,” Neuberger said.
    • “Stakeholders have 60 days after the nearly 400-page proposal is published to submit comments (early March 2025). HHS will issue the final version of the rule afterward, although a specific date has not yet been set, followed by a compliance date of 180 days. It is also not clear whether work on the changes will continue under the new presidential administration. Even so, healthcare organizations should review proposed requirements and evaluate their existing security programs to prepare.”
  • Another Dark Reading article goes into more detail about proposed rule which is fitting for a “nearly 400-page proposal.”
  • Dark Reading also reports,
    • “A US Army soldier was reportedly arrested Dec. 20 in Texas and charged with two counts of unlawful transfer of confidential phone records.  
    • “Cameron John Wagenius, 20, is suspected of leaking presidential call logs belonging to AT&T and Verizon under an online alias of “Kiberphant0m.”

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports,
    • “The Treasury Department told lawmakers Monday [December 30, 2024] that a state-sponsored actor in China hacked its systems, accessing several user workstations and certain unclassified documents.
    • “The Treasury was informed on Dec. 8 by a third-party software service provider, BeyondTrust, that a threat actor used a stolen key to remotely access certain workstations and unclassified documents, according to a letter reviewed by The Wall Street Journal.
    • “Once alerted, the department said it immediately contacted the Cybersecurity and Infrastructure Security Agency and has since worked with law enforcement partners across the government to assess the incident.
    • “The compromised BeyondTrust service has been taken offline and there is no evidence indicating the threat actor has continued access to Treasury systems or information,” a spokesperson said.
    • “In response, the Chinese embassy in Washington, D.C., denied the Treasury Department’s allegations, and said that its government opposes what it described as U.S. smear tactics without any factual basis.”
  • Per Cybersecurity Dive,
    • “Weeks after BeyondTrust disclosed an attack spree against a limited number of customers, more than 8,600 instances of the company’s Privileged Remote Access and Remote Support products remain exposed, according to a blog post released Thursday [January 2, 2025] by Censys
    • “BeyondTrust in December warned that an attacker gained access to a limited number of Remote Support SaaS instances utilizing a compromised API key. This week, the U.S. Department of Treasury said a suspected state-linked attacker gained access to a number of workstations and stole unclassified information using a BeyondTrust key.
    • “Censys researchers, in the Thursday [January 2, 2025] blog, indicated that not all of the exposed instances are considered vulnerable, because the firm does not have access to the versions involved.”
  • The Cybersecurity and Infrastructure Security Agency added one known exploited vulnerability its catalog this week.
  • Palo Alto Network offers details on this CVS at this link.
  • An ISACA commentator cautions “Overreliance on Automated Tooling is A Big Cybersecurity Mistake.”
  • A Dark Reading commentator warns,
    • “Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated “trust but verify” cybersecurity strategy. This approach assumes that any user or device inside a company’s network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.
    • “There was a time when “trust but verify” made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.”

From the ransomware front,

  • Cybersecurity Dive lets us know,
    • “Rhode Island officials said a ransomware group has begun to leak stolen information from a state social services database following a December attack. 
    • “In a Monday [December 30, 2024] press conference, Rhode Island Gov. Daniel McKee said the state was informed by Deloitte, which manages the RIBridges program, that hackers had begun to release data on a dark web leak site. 
    • “The contents of those files are still being analyzed by experts,” McKeetold reporters during the briefing. “Identifying what is in those files is a complex process, but they’re working right now to make those identifications.”
    • “RIBridges is a state program that administers several social services programs, including Medicaid, Temporary Assistance for Needy Families and other programs.”  * * *
    • “A threat group called Brain Cipher previously claimed credit for the attack, which was disclosed Dec. 5. The group has been active since June 2024 and leverages the LockBit 3.0 payload for their ransomware payloads, SentinelOne previously told Cybersecurity Dive.
    • “The group often uses phishing campaigns to gain initial access to targeted organizations, thus tricking users into downloading malicious files, according to Jon Miller, co-founder and CEO of Halcyon. 
    • “Once inside, they leverage tools and exploits to move laterally across networks, frequently targeting Windows domain administrator credentials to maximize their reach,” Miller said via email.
    • “Researchers from Sophos confirmed Brain Cipher posted detailed information on a leak site claiming credit for the RIBridges database incident.”
  • Per Security Week,
    • “The Richmond University Medical Center in New York has been investigating a ransomware attack since May 2023 and it recently determined that the incident resulted in a data breach affecting more than 670,000 people. 
    • “The healthcare facility, which serves residents in Staten Island, New York, suffered significant disruptions in May 2023 after being targeted in a ransomware attack. It took the organization several weeks to restore impacted services.
    • “An initial forensic investigation showed that the hospital’s electronic health record systems were not compromised, but it was later determined that other files may have been accessed or exfiltrated from Richmond University Medical Center’s network in early May. 
    • “Once the investigation determined what files may have been accessed or removed from our network, we located a copy of each file and then undertook a manual review process of those files to determine whether they contained any sensitive personal information or personal health information,” the hospital said in a security incident notice.”
  • Healthcare IT News adds,
    • “Ransomware attacks are having a severe impact on U.S. healthcare organizations, with an alarming escalation in incidents and their consequences, according to a Comparitech report.
    • “The study found that, since 2018, 654 ransomware attacks have targeted healthcare providers, with 2023 standing out as a record-breaking year, logging 143 incidents.
    • “These attacks compromised over 88.7 million patient records during this period, with more than 26.2 million breached in 2023 alone.
    • “Each day of downtime due to ransomware costs healthcare organizations an average of $1.9 million, culminating in an estimated $21.9 billion in downtime losses over six years.
    • “On average, medical organizations experienced 17 days of downtime per incident, with the highest disruptions reported in 2022, averaging 27 days.”

From the cybersecurity defenses front,

  • A Dark Reading commentator explains how to get the most out of your cybersecurity insurance policy.
    • “As cyber threats continue to evolve, so must our approach to mitigating them. Bolster your cybersecurity posture in a holistic manner — self-assessing your risk profile, addressing vulnerabilities, and striving for continuous improvement — and you can better safeguard your organization against threats and control your cyber-insurance costs.
    • “Prepare for increasingly rigorous risk assessments from [insurance] providers moving forward. Underwriters now have access to extensive data about cyber threats and protections. Expect them to ask more granular questions and do deeper inspections into the efficacy of controls, especially those around identity-related risks, such as privileged access and credential theft. Anticipate their questions, and be prepared with comprehensive, up-to-date answers.
    • “Cyber insurance should augment your cybersecurity strategy, not replace it. Prioritize implementing robust, ongoing cyber practices that protect your organization.”
  • Cybersecurity Dive informs us,
    • “Most cyber leaders are bullish on generative AI despite governance concerns, according to a CrowdStrike survey published in December. Nearly two-thirds say their organization would overhaul tooling in order to leverage better generative AI capabilities. 
    • “Leaders expect generative AI adoption to bring ROI through cost optimization, easier tool management, reduced incidents and shorter training cycles, according to the survey of more than 1,000 cybersecurity leaders and practitioners. 
    • “Respondents said the leading concern when weighing a generative AI purchase is how applications or services integrate with current tools. Around 70% intend to purchase access to the technology in the next year.”
  • Dark Reading discusses “6 AI-Related Security Trends to Watch in 2025. AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.”
  • Here is a link to Dark Reading’s CISO Corner.

Monday report

David ErmerGenerative AI, Medical / Rx research, Mental health care, NIH, Obesity, OPM, SDOH, U.S. Healthcare
Thanks to Justin Casey for sharing their work on Unsplash.

From Washington, DC

  • Per a press release,
    • “OPM joins the nation in mourning the passing of President Jimmy Carter. President Carter showed that public service isn’t just a line of work – it is life’s calling. From a young naval officer to a political leader, to leading as a humanitarian building homes and curing diseases, President Carter answered the call to public service. He set an example for every American to give back to their communities. He will truly be missed.” 
  • The Washington Post reports,
    • Memorial services for former president Jimmy Carter are expected to span several days and include public events in Atlanta and Washington.
    • Carter’s state funeral will be held Jan. 9 at 10 a.m. inside Washington National Cathedral after a procession from Georgia and a ceremony in which his body will lie in state in the U.S. Capitol, according to a news release from the Joint Task Force-National Capital Region.
    • “The 39th president will then be buried in a private ceremony in his hometown, Plains, Georgia.”
  • Govexec adds,
    • “President Biden issued an executive order on Monday to close federal agencies and offices next month in recognition of former President Jimmy Carter, who died Sunday at 100 in his home in Plains, Georgia.”
    • In accompanying guidance, Office of Personnel Management acting Director Rob Shriver said all federal employees would be excused from duty Jan. 9 “except those who, in the judgment of the head of the agency, cannot be excused for reasons of national security, defense, or other essential public business.” 
    • The day off applies to federal employees nationwide and will be treated like a holiday for purposes of pay and leave, the memorandum said.  

From the public health and medical research front,

  • The Wall Street Journal reports,
    • “When President Jimmy Carter was diagnosed in 2015 with cancer in his liver and brain, he said that he would like to see the last Guinea worm die before he did.
    • “That just about came true.
    • “There were 3.5 million cases of the parasitic worm disease in 1986, when the 39th U.S. president took up the cause of eradicating it. In 2023, there were 14 human cases, and 11 from January through early December 2024, according to a provisional count.
    • “We’re not there yet, but thanks to him we’re very close,” said Dr. Donald R. Hopkins, former vice president of health programs and now special adviser on Guinea worm eradication to the Carter Center, the human-rights nonprofit the former president founded in 1982 with his wife, Rosalynn Carter.”
  • The Washington Post reports,
    • “Cases of the illness known as norovirus — which induces miserable bouts of vomiting and diarrhea — are surging across the United States, according to the Centers for Disease Control and Prevention. Ninety-one outbreaks of the gastrointestinal bug were reported the week of Dec. 5, the latest period for which data is available. That’s 22 more outbreaks than in the last week of November.
    • “While sometimes referred to as the stomach flu, the disease is not caused by the influenza virus, which results in respiratory illness.
    • “There are about 2,500 reported outbreaks each year in the United States, happening most frequently between November and April. When new strains of norovirus emerge, case counts usually rise, according to disease trackers.
    • “This year, the number of reported norovirus outbreaks have exceeded the numbers that we’ve seen recently and in the years before the pandemic,” according to the CDC.”
    • The article delves into signs and symptoms, treatment options, etc.
  • The American Medical Association tells us what doctors wish their patients knew about depression.
  • Neurology Advisor adds, “One in 6 women experienced symptoms of postpartum depression 2 months after cesarean delivery, according to study findings published in the American Journal of Obstetrics and Gynecology.
  • The Wall Street Journal tells us about a 24 year old man who is trying to “outrun” schizophrenia.
    • “For the past four years, Kevin has been part of a living experiment. Shortly after he began hallucinating, during his junior year at Syracuse University, his doctors recommended him for an intensive, government-funded program called OnTrackNY. It provided him with therapy, family counseling, vocational and educational assistance, medication management and a 24-hour hotline.
    • “Such programs — there are around 350 in the United States — challenge the old idea that psychotic disorders are degenerative, a long slide to permanent disability. They operate on the notion of a golden hour. By wrapping a young person in social supports early on, the theory goes, it may be possible to prevent the disorder from advancing.” * * *
    • “But now, after four years, his time in the program was up. An estimated 100,000 people experience a first episode of psychosis every year, roughly four times the number of spots available in early intervention programs. So in December, it would all go away: the team of five providers and the hotline and the therapist who reminded him of his mother.
    • “What would happen to him without their support? Even as enthusiasm for early intervention builds, long-term studies are casting doubt on whether its benefits last after discharge. For Kevin, leaving the program meant a sudden blast of autonomy and a million questions about what his future, with schizophrenia, would look like.
    • “The training wheels are coming off,” he said.”
  • Per MedPage Today,
    • “There was “low but improving uptake” of reporting about the diversity of participants in summary documents for FDA-cleared pulse oximeters after voluntary guidance was issued in 2013, an analysis of public FDA records found.” * * *
    • “The most important finding is that although there were more mentions of skin color descriptors in performance testing after the FDA’s guidance, a majority of the public clearance documents for pulse oximeters did not include any mention of testing in diverse individuals,” Ferryman told MedPage Today in an email.
    • “Clinicians who work in hospital settings often do not get to choose which pulse oximeter device they use with their patients,” Ferryman said. “Because this research is based on the public record, it suggests that even if clinicians wanted to do their own research on the performance of pulse oximeters across diverse populations, the majority of FDA-cleared device records do not include any information about testing in different skin tones.”
    • Pulse oximeter readings in patients with darker skin tones tend to overestimate oxygen saturation, a long-standing issue described in multiple studies and discussed by an FDA advisory committee. * * *
    • “Newer FDA guidance on pulse oximeter testing that’s under development may correct some of these problems, but no single change in guidance “is likely to be sufficient to fully correct the problems of development, marketing, and dissemination of fully equitable pulse oximeters,” the [researchers] wrote.”
  • Per National Institutes of Health press releases,
    • A study of nearly 10,000 adolescents funded by the National Institutes of Health (NIH has identified distinct differences in the brain structures of those who used substances before age 15 compared to those who did not. Many of these structural brain differences appeared to exist in childhood before any substance use, suggesting they may play a role in the risk of substance use initiation later in life, in tandem with genetic, environmental, and other neurological factors.
    • “This adds to some emerging evidence that an individual’s brain structure, alongside their unique genetics, environmental exposures, and interactions among these factors, may impact their level of risk and resilience for substance use and addiction,” said Nora Volkow M.D., director of NIDA. “Understanding the complex interplay between the factors that contribute and that protect against drug use is crucial for informing effective prevention interventions and providing support for those who may be most vulnerable.”
    • “Among the 3,460 adolescents who initiated substances before age 15, most (90.2%) reported trying alcohol, with considerable overlap with nicotine and/or cannabis use; 61.5% and 52.4% of kids initiating nicotine and cannabis, respectively, also reported initiating alcohol. Substance initiation was associated with a variety of brain-wide (global) as well as more regional structural differences primarily involving the cortex, some of which were substance-specific. While these data could someday help inform clinical prevention strategies, the researchers emphasize that brain structure alone cannot predict substance use during adolescence, and that these data should not be used as a diagnostic tool.”
  • and
    • “Among people with dialysis-dependent kidney failure, a form of psychological therapy called pain coping skills training reduced how much pain got in the way of their daily lives, also known as pain interference. The clinical trial, funded by the National Institutes of Health (NIH), found that training people on how to manage pain reduced the extent to which pain affected their work and social activities, mood, and relationships. The pain coping skills training, which was adapted for people undergoing long-term dialysis, also improved other effects of pain, including the intensity of pain, depression, anxiety, and quality of life. Pain coping skills training is an approach widely used for chronic pain, but it had not previously been tested for people treated with dialysis.
    • “Very few interventions have been shown to improve the quality of life for people with end-stage kidney disease being treated with dialysis,” said Dr. Paul Kimmel, program director at NIH’s National Institute of Diabetes and Digestive and Kidney Diseases (NIDDK), which led the study. “For example, opioids, which have been a main treatment for pain in this population, have side effects that can be more pronounced in the presence of kidney failure, making pain management challenging.” * * *
    • “The study results indicate that pain coping skills training may be an appealing alternative or complement to pain medications. Although the effect of the pain coping skills training on the overall cohort was modest, its high acceptability, tolerability, and safety and its observed benefits to pain, anxiety, depression, and quality of life support further research on developing nonpharmacologic, non-invasive strategies for managing pain in dialysis populations.
    • “Future work will focus on how to prolong the favorable effects of pain coping skills training and how to broadly implement this intervention in clinical practice,” said lead author Dr. Laura M. Dember, nephrologist and clinical investigator at the University of Pennsylvania Perelman School of Medicine, Philadelphia. “Based on the successful results of this study, our hope is that this intervention can be made available broadly to patients receiving dialysis.”
  • The Wall Street Journal offers a quiz about the FDA’s latest guidance on whether a particular food is healthy. For what it’s worth, the FEHBlog scored 100.

From the U.S. healthcare business front,

  • Fierce Pharma offers a “2025 forecast: After Novo, Lilly expansion sprees, ‘positive signals’ emerge around future supply of GLP-1 drugs.”
  • The Washington Post informs us,
    • “They don’t get fruitcakes or Christmas cards from grateful patients, but for decades robots have been helping doctors perform gallbladder removals, hysterectomies, hernia repairs, prostate surgeries and more. While patients lie unconscious on the operating table, robotic arms and grippers work on their bodies at certain stages in these procedures ― all guided by doctors using joystick-like controllers, a process that minimizes human hand tremor.
    • “Now, a team of Johns Hopkins University and Stanford University researchers has reported a significant advance, training robots with videos to perform surgical tasks with the skill of human doctors.
    • “The robots learned to manipulate needles, tie knots and suture wounds on their own. Moreover, the trained robots went beyond mere imitation, correcting their own slip-ups without being told ― for example, picking up a dropped needle. Scientists have already begun the next stage of work: combining all of the different skills in full surgeries performed on animal cadavers.
    • “A new generation of more autonomous robots holds the potential to help address a serious shortage of surgeons in the United States, the researchers said.
  • Check this out!
    • “As 2025 nears, healthcare is undergoing unprecedented transformation, particularly with headlines about artificial intelligence (AI) technologies shifting away from grandiose promises as the dust starts to settle around the potential of Generative AI (GenAI). These innovations and others aim to reshape how healthcare is delivered. 
    • “To shed light on anticipated trends, challenges and opportunities in healthcare technology in 2025, leading experts from Wolters Kluwer Health offer their outlook on 2025 across a variety of topics. Diffusing the hype, the predictions offer an eye-opening look at what’s ahead and lead us toward a smarter, more resilient future in healthcare technology.” 

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity retrospection and predictions front as we approach New Year’s Day,

  • CSO lists the “top 7 zero-day exploitation trends of 2024,” and “IT leaders’ top 9 takeaways from 2024.”
  • Dark Reading points out “Emerging Threats & Vulnerabilities to Prepare for in 2025. From zero-day exploits to 5G network vulnerabilities, these are the threats that are expected to persist over the next 12 months.”
  • Federal News Network offers a “2024 review: ‘Typhoons’ bookend [the Change Healthcare breach in a] busy year in cyber. From Volt Typhoon to Salt Typhoon, major cyber incidents in 2024 shined a spotlight on how agencies are managing cyber threats to critical infrastructure.”
  • Healthcare Dive recounts “seven of the biggest healthcare cyberattack and breach stories of 2024 Cyberattacks targeting the healthcare industry continued to rise this year. Here are some of the largest incidents, from Change Healthcare to Ascension.”

From the cybersecurity policy front,

  • Yesterday the Health and Human Services Department’s Office for Civil Rights announced its proposed amendments to the HIPAA Security Rule which is intended to protect electronic personal health information. The public comment deadline is March 7, 2025, sixty days from January 6, 2025, the date that proposed rule will be published in the Federal Register.
  • Here is a link to the OCR’s fact sheet for the proposed rule. The HIPAA Security Rule dates back to 2003, and its hallmark was flexibility in implementation. To that end, the HIPAA Security rule set forth required standards and addressable standards. Because a lot has changed since 2003, I expected standard changes, but I did not expect OCR to do away with the required / addressable standard distinction in favor of exceptions. Like many other regulations issued by the current administration, the proposed amendments are loaded with new paperwork and oversight requirements. Hopefully the next administration will pull back the proposed rule so that the changes focus on requiring tools that are known to work, e.g., multi factor authentication, encryption, adequate backups.
  • Cybersecurity Dive lets us know,
    • “Lax security controls played a significant role in allowing a China-government sponsored threat group to gain broad and full access to U.S. telecom networks, a senior White House official said Friday.
    • “From what we’re seeing regarding the level of cybersecurity implemented across the telecom sectors, those networks are not as defensible as they need to be to defend against a well-resourced, capable, offensive cyber actor like China,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said during a Friday media briefing.
    • “Neuberger’s remarks came as the White House confirmed a ninth telecom company was among those compromised by Salt Typhoon’s widespread intrusion of U.S. telecom networks. The unnamed company recently determined it was impacted after reviewing threat hunting and hardening guidance provided by the U.S. government, Neuberger said.
    • “Earlier this month, U.S. officials said at least 8 U.S. telecom providers or infrastructure companies were compromised in a campaign that went undetected for months and has been underway for up to two years.”
  • Per Federal News Network,
    • “The DoD’s big cybersecurity program advanced earlier this month. It’s a big rule to carry out if it becomes effective. For what the rule means and what comes next in the Cybersecurity Maturity Model Certification Program, Deltek cybersecurity researcher Michael Greenman joined the Federal Drive with Tom Temin for details.”
    • The article offers a transcript of this interview

From the cybersecurity breaches, ransomware, and vulnerabilities front,

  • The Cybersecurity and Infrastructure Security Agency (CISA) added one known exploited vulnerability to its catalog this week.
  • Here is a link to a Security Affairs explanation of the vulnerability.
  • Bleeping Computer pointed out on December 24,
    • The Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that 66 companies have 48 hours to respond to the demands.
    • The cybercriminals announced that they are contacting those companies directly to provide links to a secure chat channel for conducting ransom payment negotiations. They also provided email addresses where victims can reach out themselves.
    • In the notification on their leak site, Clop lists 66 partial names of companies that did not engage the hackers for negotiations. If these companies continue to ignore, Clop threatens to disclose their full name in 48 hours.
    • The hackers note that the list represents only victims that have been contacted but did not respond to the message, suggesting that the list of affected companies may be larger.
    • “The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies.” * * *
    • “The zero-day flaw exploited this time is now tracked as CVE-2024-50623 and it allows a remote attacker to perform unrestricted file uploads and downloads, leading to remote code execution.
    • “A fix is available for Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21 and the vendor warned in a private advisory that hackers were exploiting it to open reverse shells on compromised networks.”
  • and
    • “The North Korean hacker group ‘TraderTraitor’ stole $308 million worth of cryptocurrency in the attack on the Japanese exchange DMM Bitcoin in May.
    • “In a short post, the FBI attributed the attack to the state-affiliated threat actor TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces.
    • “The crypto heist occurred in May 2024 and forced the platform to restrict account registration, cryptocurrency withdrawals, and trading until the completion of the investigations.”

From the cybersecurity defenses front,

  • Netxgov/FCW alerts us that “Government and private sector organizations have begun to recognize that physical and virtual assets must be protected from cyber threats in the same way as IT.”
  • Dark Reading discusses “Defining & Defying Cybersecurity Staff Burnout. Sometimes it feels like burnout is an inevitable part of working in cybersecurity. But a little bit of knowledge can help you and your staff stay healthy.”
  • Here is a link to Dark Reading’s CISO Corner, which was updated this week.

Midweek update

David ErmerCMS, Congress, FDA, Generative AI, Medical / Rx research, Obesity, U.S. Healthcare, Uncategorized

From Washington, DC,

  • The Wall Street Journal reports,
    • “President-elect Donald Trump said he opposes the bipartisan deal struck by congressional leaders to avoid a partial government shutdown this weekend, insisting that lawmakers tear up the agreement and pass a narrower bill.
    • “Trump’s comments upended efforts to pass a stopgap spending bill to keep the government funded through mid-March, while also providing more than $100 billion in disaster and farm aid. Trump said Congress should craft a new deal that keeps the aid but leaves out other measures, and couple that with immediately raising the federal debt ceiling, ahead of a deadline on the nation’s borrowing limit looming next year.” * * *
    • “To keep the government funded, a bill must pass both chambers of Congress and be signed into law by President Biden before Friday’s midnight deadline.” 
  • Politico identifies the winners and losers in Tuesday night’s CR, FYI.
  • Federal News Network tells us,
    • “The Senate passed a defense bill Wednesday that authorizes significant pay raises for junior enlisted service members, aims to counter China’s growing power and boosts overall military spending to $895 billion while also stripping coverage of transgender medical treatments for children of military members.
    • “The annual defense authorization bill usually gains strong bipartisan support and has not failed to pass Congress in nearly six decades, but the Pentagon policy measure in recent years has become a battleground for cultural issues. Republicans this year sought to tack on to the legislation priorities for social conservatives, contributing to a months-long negotiation over the bill and a falloff in support from Democrats.
    • “Still, the bill passed comfortably 85-14, sending it to President Joe Biden. Eleven senators who caucus with Democrats, as well as three Republicans, voted against the legislation.”
  • Modern Healthcare informs us,
    • “The House Bipartisan Task Force on Artificial Intelligence [AI] has issued a comprehensive report outlining policy recommendations for AI’s in healthcare.
    • “AI development in healthcare has outpaced regulation of the technology, leaving the industry to create its own guidelines. Congressional leaders from both the Senate and House of Representatives have conducted hearings to learn how insurers and providers use AI, but they have not passed significant legislation to regulate it. 
    • “A bipartisan group of 12 Republican and 12 Democratic lawmakers led by co-chairs Rep. Ted Lieu (D-Calif.) and Rep. Jay Obernolte (R-Calif.) authored the report. The task force, formed in February, looked at AI in healthcare along with several other industries.”
  • The American Hospital News lets us know
    • “The Centers for Medicare & Medicaid Services today announced Michigan, New York, Oklahoma and South Carolina state Medicaid agencies were selected to participate in its state-based Innovation in Behavioral Health Model. The eight-year IBH Model is intended to improve care quality and behavioral and physical health outcomes for Medicare- and Medicaid-enrolled adults with moderate to severe mental health conditions and substance use disorders. The pre-implementation period will begin Jan. 1, 2025, when states will begin to conduct outreach and recruit specialty behavioral health practices to participate in the model.”
  • Modern Healthcare points out,
    • “The U.S. spent $4.9 trillion on healthcare in 2023, a 7.5% increase from the prior year, according to a report the Centers for Medicare and Medicaid Services Office of the Actuary published in the journal Health Affairs on Wednesday.
    • “National health expenditures, including the public and private sectors, constituted 17.6% of gross domestic product last year. That’s slightly higher than 17.4% in 2022 and 17.5% in 2019 — prior to the COVID-19 pandemic — but lower than 19.5% in 2020 and 18.3% in 2021 amid the public health crisis.
    • “The Office of the Actuary, which is independent from CMS leadership, mainly attributes the growth in 2023 to greater utilization and intensity. Hospital care, physician and clinical services, and retail prescription drugs were the three biggest categories of higher spending.
    • ‘Expenditures increased at a greater rate last year than during the prior two years, when pandemic-era funding flexibilities began to expire, according to the actuaries. Healthcare expenditures rose 4.6% in 2022 and 4.2% in 2021 after spiking 10.4% in 2020 because of COVID-19.”

In Food and Drug Association News,

  • Per Cardiovascular Business,
    • “The U.S. Food and Drug Administration (FDA) has announced that Boston Scientific is recalling the catheters associated with its POLARx Cryoablation System due to a heightened risk of esophageal injury. The issue has been linked to seven patient injuries and four deaths.
    • “The POLARx Cryoablation System is designed to treat recurrent, symptomatic atrial fibrillation that does not respond to treatment from medical therapy alone. It gained FDA approval back in August 2023.
    • ‘The FDA has ruled that this is a Class I recall, which means it is associated with the highest possible risk level. However, this recall does not involve removing the devices from the market. Instead, Boston Scientific has updated the instructions for use and is urging customers to follow these updated instructions moving forward. 
    • “The recall includes both the POLARx and POLARx FIT cryoablation catheters.”
  • Per MedTech Dive,
    • “Boston Scientific has recalled a group of Accolade pacemakers because of a malfunction that can permanently put devices in safety mode, limiting functionality and preventing devices from properly treating patients. The Food and Drug Administration said devices that permanently enter safety mode must be replaced.
    • “The recall has been tied to two deaths. Boston Scientific did not specify the number of injuries in its December recall notice. The FDA posted an alert for the recall on Monday.
    • “The subset of affected Accolade devices includes Accolade, Proponent, Essentio and Altrua 2 standard life and extended life pacemakers, as well as Visionist and Valitude cardiac resynchronization therapy pacemakers, according to the FDA’s notice.”

From the public health and medical research front,

  • The Washington Post reports,
    • “An individual in Louisiana has the first severe illness caused by bird flu in the United States, federal health officials said Wednesday.
    • “The patient, who is hospitalized, had been in contact with sick and dead birds in backyard flocks on their property, the Centers for Disease Control and Prevention said. It’s the first case of H5N1 bird flu in the United States that has been linked to exposure to a backyard flock, and news of the infection comes the same day California officials declared a state of emergency to confront the outbreak spreading among dairy cows.” * * *
    • “Emma Herrock, a spokeswoman for the Louisiana Health Department, said in an emailed statement Wednesday the patient is over 65 and has underlying medical conditions. She declined to describe the person’s symptoms or severity of illness. Citing patient confidentiality, she said there would be no updates about the patient’s condition at this time.”
  • The New York Times adds,
    • “The virus, H5N1, cannot yet spread easily among people, and it still poses little danger to the average American. Pasteurized dairy products are still safe to consume.
    • “But the past few weeks have brought a steady drumbeat of cases in people, dairy cattle, birds and other animals. Each infection gives the virus a chance to take on a form that could cause a pandemic, experts warned.
    • “All these infections in so many species around us is paving a bigger and bigger runway for the virus to potentially evolve to infect humans better and transmit between humans,” said Dr. Nahid Bhadelia, the director of the Boston University Center on Emerging Infectious Diseases.
    • “That represents an escalation in the situation, even if risk to general population remains low,” she said.
    • “California has borne the brunt of the outbreak in cattle.
    • “The first herds in the nation infected with the bird flu virus, H5N1, were identified in March. California identified its first infected herd in late August.
    • “But since then, the state’s agriculture department has found the virus in 645 dairies, about half of them in the past 30 days alone.
    • “California has also recalled raw milk products from two companies after the virus was detected in samples.”
  • STAT News informs us,
    • “A major report on alcohol’s health effects — which will inform the 2025 Dietary Guidelines for Americans — found moderate drinkers had lower all-cause mortality, and a lower risk of death from cardiovascular disease, than those who never drank. The findings are sure to cause a stir, especially once a separate panel of experts releases its own alcohol report in coming weeks. 
    • “For years, researchers and public health officials have been taking a harder stance on alcohol as evidence has emerged of its associations with various diseases, including certain cancers and liver disease. The head of the National Institute on Alcohol Abuse and Alcoholism, George Koob, has said there are “no health benefits to alcohol.” The new 230-page report, released Tuesday by the National Academies of Sciences, Engineering, and Medicine, seems to undermine those assertions. 
    • “The “Review of Evidence on Alcohol and Health” from NASEM does not make recommendations. Instead, it summarizes the available evidence published in the past five to 15 years on how moderate alcohol consumption is linked to lactation, weight, cancer, cardiovascular disease, neurocognition and all-cause mortality. Moderate drinking is defined as two drinks per day for men, or one drink per day for women. The committee’s conclusions are based on associations, so the report doesn’t explain whether alcohol consumption is directly responsible for the outcomes. 
    • “Recommendations will be made by the main dietary guidelines committee next year, using NASEM’s review and another, from a separate panel in the Department of Health and Human Services. That report has not been released yet but is expected by next month.” 

From the U.S. healthcare business front,

  • Beckers Payer Issues names the “four health insurers earned a spot on the latest list of the 250 best-managed companies, as ranked by the Drucker Institute.”
  • BioPharma Dive reports,
    • “Merck & Co. has made its first big move in obesity treatment, announcing Wednesday it is paying Hansoh Pharma $112 million for rights outside China to a preclinical pill that works similarly to the popular injection Wegovy.
    • “Per deal terms, China-based Hansoh could receive up to $1.9 billion in additional payouts based on reaching clinical, regulatory and commercial milestones. Hansoh has an option to co-promote or solely commercialize the pill, code-named HS-10535, in China.
    • “Merck was one of the few big U.S. drugmakers that didn’t have an experimental obesity drug in development, and investors were therefore closely watching whether it would make a deal.”
  • Beckers Hospital Review ranks weight loss drugs by recent price changes for us.
  • Also, per BioPharma Dive,
    • “Almost 15 years ago, in the midst of an opioid epidemic that would kill more than half a million people in the U.S., a startup formed with the aim of creating new, non-addictive pain drugs.
    • “This goal could have been seen as noble. But for most investors, it was far too risky. Pain research was known to be exceedingly difficult and, even if successful, any resulting products would have to compete in a healthcare system that opioid makers had already gamed.
    • “The startup, SiteOne Therapeutics, has stayed afloat in the years since mostly through small grant funds. Yet, in a major reversal of fortune, it recently began to receive a huge influx of investment. The company on Wednesday announced the closing of a $100 million fundraising round,and plans to put the cash toward human studies designed to show its drugs work as intended.
    • “Pain has really been out of favor in the industry up until very recently,” said John Mulcahy, SiteOne’s cofounder and CEO. “Now is the time to add additional resources to really ramp things up.
    • “SiteOne’s research focuses on a kind of protein that’s embedded, by the thousands, in the perimeter of cells. Aptly named “ion channels,” these microscopic tunnels allow cells to communicate with one another through the rush of electrically charged particles. They are essential. Without them, our bodies wouldn’t be able to move muscles, sense surroundings or fight against germs.
    • “These functions also make ion channels attractive targets for drug researchers, who have already found ways to use them to combat seizures, infections, and problems with the heart and blood pressure. And over the past couple decades, technological advances have led to a better understanding of these proteins, such that some pharmaceutical companies now believe the field will, before too long, produce new treatments for pain, epilepsy, depression and many more neurological conditions.”

Weekend Update

David ErmerCDC, CMS, Congress, FDA, Generative AI, Medicare, OPM, U.S. Healthcare

From Washington, DC,

  • The House of Representatives and the Senate are on District / State work breaks from Capitol Hill this week due to the Thanksgiving holiday.
  • The Hill offers backgrounds on the Food and Drug Administration commissioner, Centers for Disease Control director, and Surgeon General nominees that President-elect Trump announced Friday evening.
  • STAT News reports
    • “A conservative federal judge in Texas has ruled in favor of UnitedHealth Group, saying the federal government unlawfully factored in a “disputed” phone call to lower UnitedHealth’s Medicare Advantage ratings. 
    • “The Centers for Medicare and Medicaid Services will now have to revise UnitedHealth’s 2025 Medicare Advantage ratings by taking out the call center metric, and “immediately publish the recalculated star ratings in the Medicare Plan Finder,” Judge Jeremy Kernodle wrote in his ruling.”
    • Congrats UHG.
    • “Four other large Medicare Advantage insurers — Humana, Elevance Health, Centene, and Blue Cross Blue Shield of Louisiana — have also sued Medicare for downgrading their 2025-star ratings. The lawsuits from Humana and Centene similarly involve the government’s evaluation of their call centers.”
  • Federal News Network tells us,
    • “The Office of Personnel Management has a new leader to focus specifically on federal employees working in HR. Jeff Bardwell will be the first-ever senior executive to serve as the advisor for human resources workforce programs at OPM. In the new position, Bardwell will be tasked with developing and managing the direction of the HR workforce governmentwide. His work will likely include defining HR career paths and improving HR training and professional development opportunities. Bardwell previously spent 15 years working at the Department of Homeland Security.”

From the public health and medical research front,

  • The New York Times discusses how healthcare can unnecessarily take time away from senior citizens.
    • “[S]lowing the health care treadmill — an approach Dr. Montori has called “minimally disruptive medicine” — is possible.
    • “If doctors and clinics and health care systems paid attention to ways to lessen the burden, we’d all be better off,” Dr. Ganguli said. “And some are fairly simple.”
    • “One strategy: reducing what experts call “low-value care.” Her research has confirmed what critics have pointed out for years: Older people receive too many services of dubious worth, including prostate cancer screening in men over 70 and unneeded tests before surgery.”
  • Fortune Well shares “Tips and habits for getting a good night’s rest and boosting your health.”
  • The Wall Street Journal offers an obituary for “Janelle Goetcheus, the ‘Mother Teresa of Washington, D.C.,’ dies at 84. She felt a pull to practice medicine and a call to serve God—the two were always intertwined.
    • “Goetcheus [and her husband, a Methodist minister] spent the [last] half-century treating the unhoused in Washington, D.C. She helped open clinics, organizations and warm buildings to support and care for them. She also visited patients on park benches and in the street—treating people where they are was central to her mission.
    • “Sometimes called the “Mother Teresa of Washington, D.C.,” Goetcheus was best known for co-founding Christ House with a group that included her husband, the Rev. Allen Goetcheus. A “medical respite,” Christ House is a place where men who are no longer sick enough to be in a hospital, but don’t have an appropriate place to convalesce, can live while they recover. It was also the home where the couple raised their three children and where she died, Oct. 26, at the age of 84.” * * *
    • “We wanted to learn to be with people and not just to do for people,” Goetcheus said in the oral-history interview.”
    • RIP Dr. Goetcheus.

From the U.S. healthcare business front,

  • The Washington Post reports,
    • “A growing number of companies have begun to offer employees access to menopause-related benefits in their health insurance, including paid time off, access to health providers knowledgeable about menopause, coverage of medication for menopause symptoms, and even altered work schedules and relaxed dress code options. These benefits are meant to help employees cope with symptoms such as hot flashes, depression and other physical discomforts.
    • “The benefits are designed to meet the needs of people dealing with menopause and of their employers, who are adding such coverage to help retain employees, many who have decades of experience, are in management and senior leadership positions or are in line for those posts.
    • “Among the companies offering a variety of menopause-related benefits are Microsoft, Genentech, Adobe and insurer Healthfirst.”
  • BioPharma Dive reports,
    • “The Food and Drug Administration has approved a new medicine for a deadly genetic heart condition, boosting its developer, BridgeBio Pharma, and teeing up a battle for control of a lucrative market targeted by several drugmakers.
    • “The agency on Friday cleared Attruby, known scientifically as acoramidis, for people with a cardiac form of transthyretin amyloidosis, a progressive disease that leads to heart failure and death.
    • “In testing, Attruby helped keep people alive and out of the hospital longer than those who’d received a placebo. Treatment was also associated with improvements in quality of life as well as markers of heart health.
    • “Notably, the drug is approved to prevent hospitalization or death resulting from heart complications of transthyretin amyloidosis with cardiomyopathy. Investors had been skeptical BridgeBio would earn such a distinction from regulators, leading to doubts about Attruby’scommercial prospects. 
    • “BridgeBio priced Attruby at just under $19,000 for a 28-day supply, translating to an annual list cost of about $244,000.”
  • McKinsey & Company considers what’s next for AI and healthcare.
    • In healthcare—with patient well-being and lives at stake—the advancement of AI seems particularly momentous. In an industry battling staffing shortages and increasing costs, health system leaders need to consider all possible solutions, including AI technologies. “Organizations are eager to use generative AI to help enhance how healthcare stakeholders work and operate,” write McKinsey’s Jessica Lamb and coauthors, “but some are still adopting a wait-and-see approach.” Where do you stand? Explore these insights to get up to date on AI and healthcare topics including: 
      • Adding artificial intelligence to nurses’ toolbox
      • Making coverage and cost information more understandable
      • AI impact on the payment integrity (PI) value chain
      • AI use cases in claims processing, enrollment, and underwriting.
  • HR Dive provides “a roundup of numbers from the last week of HR news — including the percentage of employers covering GLP-1s for obesity treatment [44%].”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “Protecting Americans’ health data and strengthening cybersecurity protections throughout the health care sector is the focus of a bill introduced Friday from a bipartisan quartet of Senate lawmakers.
    • “The Health Care Cybersecurity and Resiliency Act of 2024 (S.5390) is the culmination of a yearlong effort from Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., who formed a working group in November 2023 to examine cyber issues in health care.
    • “Under the umbrella of the Senate Health, Education, Labor and Pensions Committee, the senators aimed to address a staggering stat from the Health and Human Services Department, which found that 89 million Americans’ health information was breached last year, more than twice as many as in 2022.  
    • “In an increasingly digital world, it is essential that Americans’ health care data is protected,” Cornyn said in a statement. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.” 
  • and
    • “A bill that would require federal contractors to implement vulnerability disclosure policies that comply with National Institute of Standards and Technology guidelines cleared a key Senate panel Wednesday, setting the bipartisan legislation up for a vote before the full chamber.
    • “The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2024 (S. 5028) from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., sailed through the Senate Homeland Security and Governmental Affairs Committee, after a companion bill from Rep. Nancy Mace, R-S.C., passed the House Oversight Committee in May.
    • “The bill from Warner and Lankford would formalize a structure for contractors to receive vulnerability reports about their products and take action against them ahead of an attack. In announcing the legislation in August, Warner said that vulnerability disclosure policies, or VDPs, “are a crucial tool used to proactively identify and address software vulnerabilities,” and that this bill would “better protect our critical infrastructure and sensitive data from potential attacks.”
    • “Federal law mandates that civilian federal agencies have VDPs, but no standard currently exists for federal contractors. The legislation would require contractors to accept, assess and manage any vulnerability reports that they receive.”
  • and
    • “A Russian man who allegedly served as an administrator of the Phobos ransomware that’s extorted millions of dollars from more than a thousand victims is in U.S. custody, the Justice Department said Monday.
    • “South Korea extradited Evgenii Ptitsyn, 42, to the United States for a court appearance Nov. 4, according to a news release about an unsealed 13-count indictment.
    • “The Phobos ransomware has extorted over $16 million from more than 1,000 victims worldwide, including schools, hospitals, government agencies and large corporations, DOJ said. The department chalked up the arrest to international team-ups.”

From the cybersecurity vulnerabilities and breaches front,

  • Per a Cybersecurity and Infrastructure Security Agency press release,
    • “The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, has released the 2024 CWE Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical software weaknesses that adversaries frequently exploit to compromise systems, steal sensitive data, or disrupt essential services.
    • “Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”
  • CISA added eight known exploited vulnerabilities to its catalog this week.
  • Cybersecurity Dive adds,
    • “Palo Alto Networks customers are confronting another actively exploited zero-day, a critical authentication bypass vulnerability in the security vendor’s PAN-OS operating system, which runs some of the company’s firewalls, the company said Monday in an updated security advisory.
    • “Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces,” the security vendor’s threat intelligence firm Unit 42 said in a Monday threat brief. “Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
    • “The vulnerability, CVE-2024-0012, has a CVSS score of 9.3 and allows an unauthenticated attacker with network access to the management web interface to gain administrator privileges or tamper with the configuration. Active exploitation of the CVE can also allow attackers to exploit other authenticated privilege escalation vulnerabilities, such as CVE-2024-9474, which has a CVSS score of 6.9.” 
  • Security Week adds,
    • “Apple has rushed out major macOS and iOS security updates to cover a pair of vulnerabilities already being exploited in the wild.
    • “The vulnerabilities, credited to Google’s TAG (Threat Analysis Group), are being actively exploited on Intel-based macOS systems, Apple confirmed in an advisory released on Tuesday.
    • “As is customary, Apple’s security response team did not provide any details on the reported attacks or indicators of compromise (IOCs) to help defenders hunt for signs of infections.
    • “Raw details on the patched vulnerabilities:
      • CVE-2024-44308 — JavaScriptCore — Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
      • CVE-2024-44309 — WebKit — Processing maliciously crafted web content may lead to a cross-site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
    • “The company urged users across the Apple ecosystem to apply the urgent iOS 18.1.1macOS Sequoia 15.1.1 and the older iOS 17.7.2.”
  • Cybersecurity Dive lets us know,
    • “Password-spray attacks yielded prolific results for attackers across multiple sectors in North America and Europe during Q2 and Q3, the Trellix Advanced Research Center said in a Wednesday research report.
    • “The attack surface for password-spray attacks is vast, Trellix found. Attackers commonly target cloud-based systems, including Microsoft 365, Okta, Google Workspace, VPNs, Windows Remote Desktop, AWS, Google Cloud Platform and Microsoft Azure.
    • “Attackers most frequently targeted password-spray attacks at education, energy and transportation organizations during the six-month period, the report found.”
  • HHS Health Sector Cybersecurity Coordination Center offers an alert discussing a widespread phishing campaign abusing DocuSign software by impersonating well-known brands. The alert offers tips for avoiding this scam.
  • Dark Reading lets us know,
    • “Microsoft seized 240 domains belonging to ONNX, a phishing-as-a-serviceplatform that enabled its customers to target companies and individuals since 2017.
    • “ONNX was the top adversary-in-the-middle (AitM) phishing service, according to Microsoft’s “Digital Defense Report 2024,” with a high volume of phishing messages during the first six months of this year. Millions of phishing emails targeted Microsoft 365 accounts each month, and Microsoft has apparently had enough.”

From the ransomware front,

  • The American Hospital Association News reports,
    • joint advisory released Nov. 20 by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and international partners warns of cybercriminal activity by the BianLian ransomware group. The agencies said actions by BianLian actors have impacted multiple sectors across the U.S. since 2022. They operate by gaining access to victims’ systems through valid remote desktop protocol credentials and use open-source tools and command-line scripting for finding and stealing credentials. The actors then extort money from victims by threatening to release the stolen data. 
    • “The BianLian group has been listed as one of the most active groups over the last several years, and they have been known to attack the health care sector,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The group often uses RDP for access, which serves as a reminder to ensure that hospitals strictly limit the use of RDP and similar services to help mitigate this threat and the many others which use RDP as part of their initial access to penetrate networks. They do not appear to be encrypting networks and disrupting hospital operations. In the event that anyone’s personally identifiable information is stolen and think they may be a victim of identity theft, an excellent resource to help assist them is identitytheft.gov.” 
       
  • Hacker News informs us,
    • “Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus.
    • “Helldown deploys Windows ransomware derived from the LockBit 3.0 code,” Sekoia said in a report shared with The Hacker News. “Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware.”
    • “Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an “aggressive ransomware group” that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare.
    • “Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It’s estimated to have attacked at least 31 companies within a span of three months.”
  • Per Dark Reading,
    • “The Akira ransomware group has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang first began its malicious operations in March of last year.
    • “The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it.
    • “Twenty-five of the latest victims are from the United States, two are from Canada, and the remaining originate from Uruguay, Denmark, Germany, the UK, Sweden, the Czech Republic, and Nigeria.
    • “The researchers at Cyberint found that the business services sector was most frequently targeted by the group, with 10 of its most recent victims belonging to that industry. Other affected sectors include manufacturing, construction, retail, technology, education, and critical infrastructure.” 
  • Security Intelligence tells us,
    • “Any good news is welcomed when evaluating cybercrime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021.
    • “Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in active ransomware groups in the first half of 2024, providing convincing evidence that the fight against ransomware is far from over.”

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Artificial intelligence could ease pernicious labor challenges facing the healthcare sector, but health systems will need to boost their cybersecurity spending to manage increased risks, according to a report by Moody’s Ratings. 
    • “The emerging technology could help recruit and retain staff through tools that help nurses pick more flexible schedules or assist clinicians documenting clinical care, according to the credit ratings agency. 
    • “But new technology also brings more vulnerabilities for hackers to exploit — already a challenge for the healthcare industry, which is dependent on IT systems that house sensitive and valuable patient data.”
  • and
    • “Microsoft unveiled the Windows Resiliency Initiative Tuesday, which follows the July global IT outage linked to a faulty CrowdStrike software update, according to a blog post from David Weston, VP of enterprise and OS security at Microsoft. The effort is intended to advance the company’s prior efforts to overhaul its security culture.
    • “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers,” Weston said in the blog. 
    • “Microsoft will allow IT administrators to make changes to Windows Update on PCs, even if the machines are unable to boot up. Administrators will not require physical access to the machines to make the necessary changes. 
    • “The service will be available to the Windows Insider Program community starting in early 2025.”
  • Cyberscoop reports,
    • “Professional liability insurance is designed to protect executives against claims of negligence or inadequate work arising from their services. Companies often use these policies to safeguard a business’s financial assets from the potentially high costs of lawsuits and settlements in the event someone alleges executives have failed to uphold their duties. The policies often cover CEOs, CFOs, and other board members, but often fail to include CISOs. 
    • “New Jersey-based insurer Crum & Forster is looking to change that. The company recently unveiled a policy specifically designed to shield CISOs from personal liability. 
    • “Nick Economidis, vice president of eRisk at Crum & Forster, told CyberScoop that the company saw an opportunity since CISOs may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability. 
    • “CISOs are in a no-win situation,” Economidis said. “If everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional [professional liability] insurance policies.”
  • Here is a link to Dark Reading’s CISO Corner.
  • An ISACA commentator explains how to grow cyber defenses from seed to system using a plant pathology approach.
  • Dark Reading offers a commentary on the importance of learning from cybersecurity mistakes.
    • “Despite massive investments in cybersecurity, breaches are still on the rise, and attackers seem to evolve faster than defenses can keep up. The IBM “Cost of a Data Breach Report 2024” estimates the average global breach cost has reached a staggering $4.88 million. But the true damage goes beyond the financial — it’s about how quickly your organization can recover and grow stronger. Focusing only on prevention is outdated. It’s time to shift the mindset: Every breach is an opportunity to innovate.”

Monday Round up

David ErmerCDC, FDA, Federal employment benefits, Generative AI, HSA, Medical / Rx research, NIH, Obesity, OPM, U.S. Healthcare
Photo by Sven Read on Unsplash

From Washington, DC,

  • Federal News Network Interviews Consumer Checkbook’s Kevin Moss “on how a little planning can offset rise in premium costs” when selecting an FEHB or PSHB plan for 2025.
  • KFF examines Plan Offerings, Premiums and Benefits in Medicare Advantage Plans During the Medicare Open Enrollment Season for Coverage in 2025.
  • The American Hospital Association tells us,
    • “To recognize National Rural Health Day Nov. 21, AHA has released a blog and infographic that address challenges in accessing rural behavioral health care and approaches to solving them, respectively. From Nov. 18-22, AHA will honor our rural workforce by sharing rural health content through AHA Today, social media and other channels.” 
  • The Congressional Research Service released a Focus report about the qualified medical expenses that health savings account (“HSA”) holders can use the HSA to pay.
  • BioPharma Dive lets us know,
    • “Massachusetts-based Syndax Pharmaceuticals won Food and Drug Administration approval Friday for a new kind of drug to treat an aggressive form of leukemia in adults and some children.
    • “The oral drug, which Syndax will sell as Revuforj, is the first of its type, a class of compounds known as menin inhibitors. It’s cleared for patients one year or older who have relapsed or refractory acute leukemia that harbors a specific mutation: translocations in the lysine methyltransferase 2A, or KMT2A, gene.
    • ‘People with this type of leukemia are more likely to relapse and have a median overall survival of less than one year. Syndax plans to launch two doses of the drug, which it priced at about $475,000 per year before rebates or discounts, later in November. A lower dose for patients who weigh less will be available next year.”

The public health and medical research front,

  • The New York Times reports,
    • “One of the first warnings came in a paper published in 2021. There was an unexpected rise in pancreatic cancer among young people in the United States from 2000 to 2018. The illness can be untreatable by the time it is discovered, a death sentence.
    • “With publication of that report, by Dr. Srinivas Gaddam, a gastroenterologist at Cedars-Sinai Medical Center, researchers began searching for reasons. Could the increase be caused by obesity? Ultraprocessed foods? Was it toxins in the environment?
    • “Alternatively, a new study published on Monday in The Annals of Internal Medicine suggests, the whole alarm could be misguided.
    • “The authors of the paper, led by Dr. Vishal R. Patel a surgical resident at Brigham and Women’s Hospital in Boston, did not dispute the data showing a rising incidence. They report that from 2001 to 2019 the number of young people — ages 15 to 39 — diagnosed with pancreatic cancer soared. The rate of pancreatic surgeries more than doubled in women and men.
    • “The problem is that the expected consequence of such a rise in cancers did not occur. With more pancreatic cancers in young people, there should be more pancreatic cancer deaths. And there were not. Nor were more young people getting diagnosed with later-stage cancers. Instead, the increase was confined to cancers that were in very early stages.
    • “Many cancers will never cause harm if left alone, but with increasingly sensitive tools, doctors are finding more and more of them. Because there usually is no way to know if they are dangerous, doctors tend to treat them aggressively. But they would never have shown up in death statistics if they had not been found.
    • “It’s the hallmark of what researchers call overdiagnosis: a rise in incidence without a linked rise in deaths.”
  • STAT News informs us
    • “At the Milken Institute’s Future of Health Summit on Thursday, researchers and health care executives talked about efforts to detect cancers earlier, save lives, and get to the root of why cancers have begun to rise in this population. 
    • “The big question is always why,” said Kimryn Rathmell, director of the National Cancer Institute. “We need to understand the variation so that we can begin to understand which parts are related to obesity, diet and exercise; which ones are more related to sun exposure, smoking, alcohol — the risk factors that are well-known to us, but may have a variation in how they’re being consumed or exposed in younger people today.” * * *
    • “Since cancer is still rare among younger adults, people are likely to get negative test results. That “runs the risk of people, by the time they get older, kind of shrugging their shoulders and saying, ‘Well, I’ve been doing this for 10 years, why should I keep doing it?’” said Harlan Levine, president of health innovation and policy at the City of Hope.
    • “Part of the solution, the group agreed, is to develop more efficient, targeted tests that can detect cancers earlier on. Mohit Manrao, the head of U.S. oncology at AstraZeneca, noted that the company has recently developed an AI tool that can use biomarkers from common hospital tests to predict the likelihood that a person will get a disease, including some cancers, before a doctor would be able to make a diagnosis.
    • “It’s also important to expand outreach to populations that haven’t had access to it in the past. Black women, for example, have a lower incidence of breast cancer than white women but 40% higher chance of dying from it.”
  • and
    • “Lipoprotein(a) is a risk factor for cardiovascular disease you may not hear about in your annual physical. Like LDL, or “bad” cholesterol, too much of the LDL-like particle can create plaque that clogs arteries, creating potential blockages that lead to heart attacks or strokes. It’s also implicated in aortic stenosis, when the aortic valve narrows, pinching blood supply to the rest of the body.
    • “But unlike cholesterol, Lp(a) does not surrender to statins or respond to a healthier lifestyle of improved diet and more physical activity. Its levels are determined by your genes, putting the estimated 1 in 5 people who have high levels at a two- or threefold higher risk than people without what’s called the most common genetic dyslipidemia. In the United States, that would mean 64 million people are at risk and 1.4 billion people worldwide.
    • “At the American Heart Association’s scientific sessions Monday, researchers presented Phase 2 data on two treatments for elevated Lp(a): an oral drug called muvalaplin and an RNA-silencing injection called zerlasiran. Both studies were also published in JAMA and include several of the same co-authors, led by Steven Nissen of the Cleveland Clinic and Stephen Nicholls of Monash University.
    • “These two new reports add to the growing evidence in at least five different drug programs directed for lowering Lp(a) that the agents are potent, capable of 80% reduction or more, with durable effects over extended treatment,” said Eric Topol, cardiologist and geneticist and director of the Scripps Research Translational Institute. He was not involved in either study. “Most of the programs are siRNA injectables but one here is oral, which is encouraging, more practical, and may be less expensive.”
  • Per Medscape,
    • “Artificial intelligence (AI) helps produce echocardiograms more quickly and efficiently, with better-quality images and less fatigue for operators, shows the first prospective randomized controlled trial of AI-assisted echocardiography.
    • “The Japanese study used Us2.ai software, developed from an 11-country research platform and supported by the Singapore Agency for Science, Technology and Research. This system and another newly developed AI system, PanEcho — developed at the Yale School of Medicine in New Haven, Connecticut, and the University of Texas at Austin — can automatically analyze a wide range of structures, functions, and cardiographic views. Studies of these two systems were presented at the American Heart Association (AHA) Scientific Sessions 2024.
  • Per MedPage Today,
    • “More than half of all adults in the U.S. are eligible for semaglutide (Ozempic, Wegovy, Rybelsus), researchers estimated.
    • “Among 25,531 participants in the National Health and Nutrition Examination Survey (NHANES) from 2015 to 2020, 8,504 were eligible for semaglutide, representing an estimated 136.8 million adults across the country. All met the criteria for at least one of three indications that the drug is currently approved for — diabetes, weight management, or secondary cardiovascular disease (CVD) prevention, reported Dhruv S. Kazi, MD, MSc, of Beth Israel Deaconess Medical Center in Boston, and colleagues.”
  • The Washington Post adds,
    • “From August 2021 to August 2023, 4.5 percent of adults in the United States had undiagnosed diabetes, the Centers for Disease Control and Prevention says in a recent report. And a little over 11 percent of U.S. adults had been diagnosed with the condition as of the same time period, the CDC says.” * * *
    • “The study looked at how total, diagnosed and undiagnosed diabetes differed across demographics including age, weight and educational attainment. Undiagnosed diabetes prevalence increased with age. For example, about 1.3 percent of adults ages 20 to 39 with diabetes were undiagnosed vs. 5.6 percent of those 40 to 59. Among those 60 and older, some 6.8 percent of people with diabetes had not been diagnosed.”
  • The American Medical Association shares “what doctors wish patients knew about sciatica.”
  • Per BioPharma Dive,
    • “A single infusion of a CRISPR therapy developed by Intellia Therapeutics showed promising signs of stabilizing a heart disorder caused by the rare disease transthyretin amyloidosis, buoying the company’s hopes of finding success in late-stage clinical trials.
    • Phase 1 study data from 36 people with the cardiomyopathy form of transthyretin, or ATTR, amyloidosis showed Intellia’s gene editing treatment sharply and durably lowered levels of the ATTR protein that misfolds and gathers in the toxic clumps that characterize the disease.
    • “Prior trial results, in fewer people and across shorter periods of time, had already shown Intellia’s therapy capable of reducing ATTR protein. The new findings, which were published Friday in The New England Journal of Medicine, show those reductions appeared to translate to stability or improvement on several markers of cardiac disease progression, too.”
  • Per a National Institutes of Health press release,
    • “Researchers from the National Institutes of Health (NIH) have developed an artificial intelligence (AI) algorithm to help speed up the process of matching potential volunteers to relevant clinical research trials listed on ClinicalTrials.gov. A study published in Nature Communications(link is external) found that the AI algorithm, called TrialGPT, could successfully identify relevant clinical trials for which a person is eligible and provide a summary that clearly explains how that person meets the criteria for study enrollment. The researchers concluded that this tool could help clinicians navigate the vast and ever-changing range of clinical trials available to their patients, which may lead to improved clinical trial enrollment and faster progress in medical research.
    • “A team of researchers from NIH’s National Library of Medicine (NLM) and National Cancer Institute harnessed the power of large language models (LLMs) to develop an innovative framework for TrialGPT to streamline the clinical trial matching process. TrialGPT first processes a patient summary, which contains relevant medical and demographic information. The algorithm then identifies relevant clinical trials from ClinicalTrials.gov for which a patient is eligible and excludes trials for which they are ineligible. TrialGPT then explains how the person meets the study enrollment criteria. The final output is an annotated list of clinical trials—ranked by relevance and eligibility—that clinicians can use to discuss clinical trial opportunities with their patient.
    • “Machine learning and AI technology have held promise in matching patients with clinical trials, but their practical application across diverse populations still needed exploration,” said NLM Acting Director, Stephen Sherry, PhD. “This study shows we can responsibly leverage AI technology so physicians can connect their patients to a relevant clinical trial that may be of interest to them with even more speed and efficiency.”
    • “To assess how well TrialGPT predicted if a patient met a specific requirement for a clinical trial, the researchers compared TrialGPT’s results to those of three human clinicians who assessed over 1,000 patient-criterion pairs. They found that TrialGPT achieved nearly the same level of accuracy as the clinicians.”
  • Per Healio,
    • “Most people at high risk for lung cancer have not discussed screening for the disease with their clinician or have even heard of the test, according to a research letter published in JAMA Network Open.
    • “The findings come despite lung cancer screening demonstrating effectiveness at identifying cancer and reducing related mortality outcomes, a researcher pointed out.
    • “We’ve got a screening test that works. It works as well, if not better, than breast and colorectal cancer screening in terms of mortality reduction. It’s one of the most life-saving things we have for a cancer that kills more people than either of those two combined,” Gerard A. Silvestri, MD, MS, FCCP, a professor of medicine at the Medical University of South Carolina (MUSC) and the study’s senior author, said in a press release.
    • “Silvestri and colleagues noted that physician-patient communication is vital for the uptake of lung cancer screening, which only 18% of eligible patients are up to date on, according to a prior study published in JAMA Internal Medicine.”

From the U.S. healthcare business front,

  • Healthcare Dive reflects,
    • “Despite growing revenues, most major insurers saw their profits from offering health plans shrink in the third quarter as pressures in government programs stretched into the back half of the year.
    • “In Medicare Advantage, seniors are still utilizing more healthcare than insurers expected when pricing their plans. And in Medicaid, states’ payment rates continue to land well below the cost of caring for beneficiaries in the safety-net programs, payers say.
    • “Those forces coalesced to hit insurers, slamming some — notably, CVS-owned Aetna and Humana — while swatting others. Aetna was particularly affected, posting the steepest year-over-year drop in operating profit by a wide margin.
    • “Only two insurers — Cigna and Molina — reported a year-over-year increase in operating profit from insurance arms: Cigna, because most of its members are in commercially insured plans, which shelters the payer from headwinds in government plans; and Molina due to risk corridors that absorbed the worst of unexpected cost trends, and rate updates from Medicaid states. 
    • “Yet overall, medical loss ratios — an important metric of spending on patient care — increased 3.3 percentage points year over year when averaged across the seven major publicly traded payers. That’s a major leap. Again, Aetna saw the most drastic change — and management warned investors the MLR could increase further, from 95.2% this quarter to 95.5% in the fourth.”
  • The Wall Street Journal adds,
    • CVS Health is adding four new members to its board in an agreement with Glenview Capital Management, a hedge fund that pushed for changes at the healthcare company.
    • “The new members include Glenview Chief Executive Larry Robbins, as well as three other executives with health-sector and financial experience. The board’s total membership will be 16 with the new additions.
    • ‘Robbins and CVS Executive Chairman Roger Farah said the company and the investor had agreed to cooperate. 
    • “The board members that are joining bring unique skills, they’ll be additive to the existing board, and we expect to work collaboratively,” Farah said in an interview.”
  • Beckers Hospital Review offers eight predictions about hospital financial stability in 2025 based ona a November 13 report issued by Moody’s Investor Services.
  • Modern Healthcare reports,
    • “Ascension Wisconsin plans to close a hospital in Waukesha and consolidate a few lines of service among other facilities in the southeast region of the state.
    • “The Waukesha “micro-hospital,” which offers emergency and low-acuity care services, is slated to shut down in January, said Ascension Wisconsin Senior Director of External Relations Mo Moorman on Monday.
    • “The facility is part of a joint venture between Glendale-based Ascension Wisconsin and micro-hospital developer Emerus, which staffs and manages the location. The decision to close was due to consistently low patient volumes, Moorman said.
    • “Other facilities run by the joint venture will not be affected.”

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cybersecurity Dive reports,
    • “The U.S. must take collective action to address “unacceptable” cybersecurity risks to the country, National Cyber Director Harry Coker Jr. said in a speech at Columbia University’s Conference on Cyber Regulation and Harmonization in New York City. Coker called for federal authorities to work together with critical infrastructure providers, private sector companies and other stakeholders. 
    • “Cybersecurity threats like the China state-linked Volt Typhoon present unacceptable risks to the U.S., Coker said, and more investments are required to build long term cyber resilience. As part of that strategy, companies need to ensure that cybersecurity is as much of a focus as quarterly profits. 
    • “At the same time, Coker called for the government to streamline its regulations and harmonize compliance demands for the benefit of the private sector and critical infrastructure providers. This could allow CISOs and other security leaders to spend more time mitigating their own organizational cyber risk, he said.”
  • NextGov/FCW tells us,
    • Jen Easterly, the Cybersecurity and Infrastructure Security Agency’s stalwart champion and a figurehead among cybersecurity and intelligence community practitioners, will leave her post Jan. 20 next year when President-elect Donald Trump is inaugurated back into the White House, people familiar with her plans said.
    • The plans were communicated via internal emails and an all-hands staff meeting, said the people, who asked not to be identified to share news of her departure. Deputy Director Nitin Natarajan also plans to depart at that time, one of the people said. * * *
    • “A CISA spokesperson told Nextgov/FCW that all appointees under the current administration vacate their positions when a new administration takes office and affirmed the agency’s commitment to a seamless transition.” * * *
    • “Ohio Secretary of State Frank LaRose is being considered to lead the agency after Easterly leaves, Politico reported last week, citing four people who have spoken to those in his orbit.”
  • and
    • “With 66 days until Inauguration Day, Federal Chief Information Officer Clare Martorana says her top priority in the last days of the Biden administration is cybersecurity. 
    • “Continuing to make sure that cybersecurity is not an afterthought,” she told Nextgov/FCW on the sidelines of an ACT-IAC event Friday, adding that she wants cyber to be part of the IT community, rather than segmented away from each other.
    • “In government, it just continues to perplex me that we don’t necessarily co-join in our product development and the ongoing maintenance of our digital properties as a single, cohesive team,” she said. 
    • “Second up is facilitating an effective transition for the incoming Trump administration 
    • “Making sure that the next team that comes in knows exactly what we’ve accomplished, knows exactly the areas that we feel need additional attention and that are going to be what the catalysts are for the next four years of technology, customer experience, digital experience evolution” is a “really, really important part of my job right now,” said Martorana. 
    • “I want to make sure that the next federal CIO has the best chance of hitting the ground running and being as effective as they can be,” she added.” 
  • The Government Accountability Office released a report highlighting that
    • “As the lead federal agency for the healthcare and public health critical infrastructure sector, the Department of Health and Human Services (HHS) has faced challenges in carrying out its cybersecurity responsibilities. Implementing our related prior recommendations can help HHS in its leadership role.”
  • The National Institute for Standards and Technology announced,
    • “The initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI), is available for comment.
    • “SP 800-172r3 provides recommended security requirements to protect the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program. The enhanced security requirements give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats (APTs) and help to ensure the resiliency of systems and organizations. The enhanced security requirements in SP 800-172r3 supplement the security requirements in SP 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements are needed universally; enhanced security requirements are selected by federal agencies based on specific mission needs and risks.
    • The public comment period is open through January 10, 2025. NIST strongly encourages you to use the comment template available on the publication details page and submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
  • FEHB claims data is classified as CUI. Significant changes are called out on this NIST website.

From the cybersecurity vulnerabilities and breaches front,

  • From a November 12, 2024, CISA press release
    • “Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and international partners released joint Cybersecurity Advisory, 2023 Top Routinely Exploited Vulnerabilities.” * * *
    • “The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory. The advisory provides vendors, designers, and developers a guide for implementing secure by design and default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations mitigations. Following this guidance will help reduce the risk of compromise by malicious cyber actors.”
  • Also on November 12, HHS’s Health Sector Cybersecurity Coordination Center released an Analyst Note on the Godzilla Webshell.
  • CISA added seven known exploited vulnerabilities to its catalog this week.
  • Per Cybersecurity Dive,
    • “Attackers are actively exploiting a pair of previously disclosed vulnerabilities in Palo Alto Networks Expedition, federal cyber authorities said Thursday. 
    • “The Cybersecurity and Infrastructure Security Agency added CVE-2024-9463, an OS command injection vulnerability with a CVSS score of 9.9, and CVE-2024-9465, an SQL injection vulnerability with a CVSS score of 9.2, to its known exploited vulnerabilities catalog on Thursday. The alert comes one week after the agency confirmed another vulnerability in the same product, CVE-2024-5910, was under active exploitation
    • “Palo Alto Networks disclosed and released a patch for the vulnerabilities along with three additional CVEs in the migration tool on Oct. 9.”
  • Per Dark Reading,
    • “Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery.
    • “This decision came after there were reports from admins saying that email had stopped flowing altogether.
    • “The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn’t being shared via email to an outside organization.”
  • and
    • “ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI’s security on the whole.
    • “The world’s leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.
    • “OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.
    • “They’re not documented features,” he says. “I think this is a pure design flaw. It’s a matter of time until something happens, and some zero-day is found,” by virtue of the data leakage.”
  • Per AI Business,
    • “When most people think of AI-generated deepfakes, they probably think of videos of politicians or celebrities being manipulated to make it appear as though they said or did something they didn’t. These can be humorous or malicious. When deepfakes are in the news, for instance, it is usually in connection to a political misinformation campaign.
    • “What many people don’t realize, however, is that the malicious use of deepfakes extends well beyond the political realm. Scammers are increasingly adept at using real-time deepfakes to impersonate individuals with certain permissions or clearances, thus granting them access to private documents, sensitive personal data and customer information.” * * *
    • “Governments and businesses are taking deepfakes more and more seriously. Protecting against this kind of manipulation requires a combination of technological solutions and personnel-based ones. First and foremost, a regular red-teaming process must be in place. Stress-testing deepfake detection systems with the latest deepfake technology is the only way to make sure a given detection system is working properly.
    • “The second essential aspect of defending against deepfakes is educating employees to be skeptical of videos and video conferences with requests that seem too drastic, urgent, or otherwise out of the ordinary. A culture of moderate skepticism is part of security awareness and preparedness alongside solid security protocols. Often the first line of defense is common sense and person-to-person verification. This can save companies millions and their cybersecurity teams hundreds of hours.
    • “Alongside technological solutions, the best defense against malicious AI is common sense. Businesses that take this two-pronged approach will have a better shot at protecting themselves than businesses that don’t. Considering the speed at which deepfakes are evolving, this is nothing short of critical.”

From the ransomware front,

  • On November 13, the Register reported,
    • “American Associated Pharmacies (AAP) is the latest US healthcare organization to have had its data stolen and encrypted by cyber-crooks, it is feared.
    • “The criminals over at the Embargo ransomware operation claimed responsibility for the hit job, allegedly stealing 1.469 TB of AAP’s data, scrambling its files, and demanding payment to restore the information.
    • “AAP, which oversees a few thousand independent pharmacies in the country, hasn’t officially confirmed an attack, nor has it responded to The Register‘s request for input on the claims. At the time of writing, its website warns all user passwords were recently force-reset. It did not explain why the resets were forced nor mention a cyberattack.
    • “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites,” a website notice reads. “Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
  • Bleeping Computer informs us,
    • “North Korean threat actors target Apple macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, which are signed and notarized by a legitimate Apple developer ID.
    • “This means that the malicious apps, even if temporarily, passed Apple’s security checks, so macOS systems treat them as verified and allow them to execute without restrictions.
    • “The app names are centered around cryptocurrency themes, which aligns with North Korean hackers’ interests in financial theft.
    • “According to Jamf Threat Labs, which discovered the activity, the campaign appears more like an experiment on bypassing macOS security than a fully-fledged and highly targeted operation.”
  • Infosecurity Magazine discusses how ransomware groups use cloud services for data exfiltration.
    • “Alex Delamotte, a threat researcher at SentinelLabs, the cybersecurity provider’s research branch, published The State of Cloud Ransomware in 2024 on November 14.
    • “Cloud services provide an advantage over endpoint and web server-based services by having a smaller attack surface.
    • “However, the ubiquitous use of cloud services makes them attractive to attackers, who have developed new approaches to compromise them.
    • “Despite being designed to securely store, manage, and retrieve large volumes of unstructured data at scale, cloud-based storage services, such as the Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage, have become prime targets.
    • “S3 buckets are one of the most referenced targets of malicious activity.
    • P.S. S3 Buckets are public cloud storage containers for objects stored in simple storage service (S3). S3 buckets can be likened to file folders and object storage.

From the cybersecurity defenses front,

  • Per Cybersecurity Dive,
    • “Microsoft will disclose vulnerabilities under the Common Security Advisory Framework, a move designed to help customers respond and remediate CVEs in a more efficient manner, the company said this week.  
    • “CSAF is a format that is machine readable, which helps organizations digest the CVEs faster and in larger volumes. Customers will still be able to get CVE updates through the Microsoft security update guide or through an API based on the Common Vulnerability Reporting Framework. The CVRF serves as the standard for disclosing vulnerability information. 
    • “The CSAF rollout represents the third in a series of changes to make vulnerability disclosure more transparent at Microsoft. The company in June announced Cloud Service CVEs and in April said it would publish root cause analysis using the Common Weakness Enumeration standard.”
  • HHS’s 405(d) program released an Operational Continuity Cyber Incident Checklist.
  • Here is a link to Dark Reading’s CISO Corner.
  • Bleeping Computer lets us know,
    • “Bitdefender has released a decryptor for the ‘ShrinkLocker’ ransomware strain, which uses Windows’ built-in BitLocker drive encryption tool to lock victim’s files.
    • “Discovered in May 2024 by researchers at cybersecurity company Kaspersky, ShrinkLocker lacks the sophistication of other ransomware families but integrates features that can maximize the damage of an attack.
    • “According to Bitdefender’s analysis, the malware appears to have been repurposed from benign ten-year-old code, using VBScript, and leverages generally outdated techniques.”